Ask LH: How Can I Choose A Good Password?

Dear Lifehacker, I always get stuck when a website asks me to register and choose a password. Almost all websites require this and it is sometime hard to pick something I'll remember and not have to write down. Any ideas? Thanks, Pass Tense

I suggest reading up on Arstechnica for their series on security/hacking around passwords.

They go in-depth on how hacking works these days (table of emails and hashed passwords gets stolen, hackers attempt to guess yours, which can take minutes, days, weeks or years, then go by the 'people are lazy' rule and assume you use that email/password combo on more than one site).

Two main things change that minutes-years length when cracking passwords:
-Strength of the hashing algorithm -- you have no control on this
-Strength of the password -- you have control on this

Do not - do *not* use dictionary words, at all. Ever. Or replace letters in words with numbers/misspell them. When password guessing on custom rigs can happen at thousands/millions/more hashes a second, them trying a few variations on a words costs them less than a fraction of a second.

Same for mashing the keyboard to generate 'random' strings -- ever notice that a keyboard mash gets you a similar set of keypresses every time? Good crackers know that, and can predict it.

Use a password manager (I have lastpass, but there's more than one way to go), generate a unique password for each site, as complex as the site lets you have, and change every 1-3 months, as well as changing the password to your account on whatever password manager you use.

It's not about increasing password security, it's about limiting damage. by changing your password every month, anybody who potentially gets the password - however they do it - has a month to take advantage of it before they're once again locked out.

If you already practice good password security (two factor when possible, original passwords for each service, etc) it won't add much. If your computer is already compromised, it wont help much.

It's mostly used by companies because we know that some users will always have bad security practices. We cant stop them using the same password on every terrible website or giving it away in exchange for a piece of gum, but we can reduce the length of time that specific password can be used to access company data.

After you change your password a few times you're less likely to re-use one of your usual passwords that you use on every other website. This is something that a very large number of people are guilty of (myself included).

When just *one* site that you've used it on has a breach, and if they use a weak hashing algorithm, your email/password combo can be used on any other site where that pair is in use.

Down Votes

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

I read an email the other day that contained this bummer of a statement. "Cigarettes are the only legal consumer product that, when used as intended, will kill half of all long-term users."
It's not news, but it's true.

Google and Samsung are locked in a battle at the premium end of the Android smartphone market, and one of the reasons why you might pick a Google Pixel 2 over a Samsung Galaxy Note 8 - or vice versa - is the on-board software. We put the two flagship devices side by side to see how Pixel Android compares to Samsung Android.